exec.azurerm.keyvault.vault

Azure Resource Manager (ARM) Key Vault Execution Module

New in version 2.0.0.

Changed in version 4.0.0.

maintainer:

<devops@eitr.tech>
configuration:

This module requires Azure Resource Manager credentials to be passed as keyword arguments to every function or via acct in order to work properly.

Required provider parameters:

if using username and password:
  • subscription_id
  • username
  • password
if using a service principal:
  • subscription_id
  • tenant
  • client_id
  • secret

Optional provider parameters:

cloud_environment: Used to point the cloud driver to different API endpoints, such as Azure GovCloud. Possible values:

  • AZURE_PUBLIC_CLOUD (default)
  • AZURE_CHINA_CLOUD
  • AZURE_US_GOV_CLOUD
  • AZURE_GERMAN_CLOUD
idem_azurerm.exec.azurerm.keyvault.vault.check_name_availability(hub, ctx, name, **kwargs)

New in version 2.0.0.

Checks that the vault name is valid and is not already in use.

Parameters:name – The vault name.

CLI Example:

azurerm.keyvault.vault.check_name_availability test_name
idem_azurerm.exec.azurerm.keyvault.vault.create_or_update(hub, ctx, name, resource_group, location, tenant_id, sku, access_policies=None, vault_uri=None, create_mode=None, enabled_for_deployment=None, enabled_for_disk_encryption=None, enabled_for_template_deployment=None, enable_soft_delete=None, soft_delete_retention=None, enable_purge_protection=None, enable_rbac_authorization=None, network_acls=None, tags=None, **kwargs)

New in version 2.0.0.

Changed in version 4.0.0.

Create or update a key vault in the specified subscription.

Parameters:
  • name – The vault name.
  • resource_group – The name of the resource group to which the vault belongs.
  • location – The supported Azure location where the key vault should be created.
  • tenant_id – The Azure Active Direction tenant ID that should be used for authenticating requests to the key vault.
  • sku – The SKU name to specify whether the key vault is a standard vault or a premium vault. Possible values include: ‘standard’ and ‘premium’.
  • access_policies

    A list of 0 to 16 dictionaries that represent AccessPolicyEntry objects. The AccessPolicyEntry objects represent identities that have access to the key vault. All identities in the list must use the same tenant ID as the key vault’s tenant ID. When createMode is set to “recover”, access policies are not required. Otherwise, access policies are required. Valid parameters are:

    • tenant_id: (Required) The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault.
    • object_id: (Required) The object ID of a user, service principal, or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies.
    • application_id: (Optional) Application ID of the client making request on behalf of a principal.
    • permissions: (Required) A dictionary representing permissions the identity has for keys, secrets, and certifications. Valid parameters include:
      • keys: A list that represents permissions to keys. Possible values include: ‘backup’, ‘create’, ‘decrypt’, ‘delete’, ‘encrypt’, ‘get’, ‘import_enum’, ‘list’, ‘purge’, ‘recover’, ‘restore’, ‘sign’, ‘unwrap_key’, ‘update’, ‘verify’, and ‘wrap_key’.
      • secrets: A list that represents permissions to secrets. Possible values include: ‘backup’, ‘delete’, ‘get’, ‘list’, ‘purge’, ‘recover’, ‘restore’, and ‘set’.
      • certificates: A list that represents permissions to certificates. Possible values include: ‘create’, ‘delete’, ‘deleteissuers’, ‘get’, ‘getissuers’, ‘import_enum’, ‘list’, ‘listissuers’, ‘managecontacts’, ‘manageissuers’, ‘purge’, ‘recover’, ‘setissuers’, and ‘update’.
      • storage: A list that represents permissions to storage accounts. Possible values include: ‘backup’, ‘delete’, ‘deletesas’, ‘get’, ‘getsas’, ‘list’, ‘listsas’, ‘purge’, ‘recover’, ‘regeneratekey’, ‘restore’, ‘set’, ‘setsas’, and ‘update’.
  • vault_uri – The URI of the vault for performing operations on keys and secrets.
  • create_mode – The vault’s create mode to indicate whether the vault needs to be recovered or not. Possible values include: ‘recover’ and ‘default’.
  • enabled_for_deployment – A boolean value specifying whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault.
  • enabled_for_disk_encryption – A boolean value specifying whether Azure Disk Encrpytion is permitted to retrieve secrets from the vault and unwrap keys.
  • enabled_for_template_deployment – A boolean value specifying whether Azure Resource Manager is permitted to retrieve secrets from the key vault.
  • create_mode – The vault’s create mode to indicate whether the vault needs to be recovered or not. Possible values include: ‘recover’ and ‘default’.
  • enable_soft_delete – A boolean value that specifies whether the ‘soft delete’ functionality is enabled for this key vault. If it’s not set to any value (True or False) when creating new key vault, it will be set to True by default. Once set to True, it cannot be reverted to False.
  • soft_delete_retention – The soft delete data retention period in days. It accepts values between 7-90, inclusive. Default value is 90.
  • enable_purge_protection – A boolean value specifying whether protection against purge is enabled for this vault. Setting this property to True activates protection against purge for this vault and its content - only the Key Vault service may initiate a hard, irrecoverable deletion. Enabling this functionality is irreversible, that is, the property does not accept False as its value. This is only effective if soft delete has been enabled via the enable_soft_delete parameter.
  • enable_rbac_authorization – A boolean value that controls how data actions are authorized. When set to True, the key vault will use Role Based Access Control (RBAC) for authorization of data actions, and the access policies specified in vault properties will be ignored (warning: this is a preview feature). When set as False, the key vault will use the access policies specified in vault properties, and any policy stored on Azure Resource Manager will be ignored. Note that management actions are always authorized with RBAC. Defaults to False.
  • network_acls – A dictionary representing a NetworkRuleSet. Rules governing the accessibility of the key vault from specific network locations.
  • tags – The tags that will be assigned to the key vault.

CLI Example:

azurerm.keyvault.vault.create_or_update test_name test_rg test_location test_tenant test_sku test_policies
idem_azurerm.exec.azurerm.keyvault.vault.delete(hub, ctx, name, resource_group, **kwargs)

New in version 2.0.0.

Deletes the specified Azure key vault.

Parameters:
  • name – The vault name.
  • resource_group – The name of the resource group to which the vault belongs.

CLI Example:

azurerm.keyvault.vault.delete test_name test_rg
idem_azurerm.exec.azurerm.keyvault.vault.get(hub, ctx, name, resource_group, **kwargs)

New in version 2.0.0.

Gets the specified Azure key vault.

Parameters:
  • name – The vault name.
  • resource_group – The name of the resource group to which the vault belongs.

CLI Example:

azurerm.keyvault.vault.get test_name test_rg
idem_azurerm.exec.azurerm.keyvault.vault.get_deleted(hub, ctx, name, location, **kwargs)

New in version 2.0.0.

Gets the deleted Azure key vault.

Parameters:
  • name – The vault name.
  • location – The location of the deleted vault.

CLI Example:

azurerm.keyvault.vault.get_deleted test_name test_location
idem_azurerm.exec.azurerm.keyvault.vault.list_(hub, ctx, resource_group=None, top=None, **kwargs)

New in version 2.0.0.

Changed in version 4.0.0.

Gets information about the vaults associated with the subscription.

Parameters:
  • resource_group – The name of the resource group to limit the results.
  • top – Maximum number of results to return.

CLI Example:

azurerm.keyvault.vault.list
idem_azurerm.exec.azurerm.keyvault.vault.list_by_subscription(hub, ctx, top=None, **kwargs)

New in version 2.0.0.

The List operation gets information about the vaults associated with the subscription.

Parameters:top – Maximum number of results to return.

CLI Example:

azurerm.keyvault.vault.list_by_subscription
idem_azurerm.exec.azurerm.keyvault.vault.list_deleted(hub, ctx, **kwargs)

New in version 2.0.0.

Gets information about the deleted vaults in a subscription.

CLI Example:

azurerm.keyvault.vault.list_deleted
idem_azurerm.exec.azurerm.keyvault.vault.purge_deleted(hub, ctx, name, location, **kwargs)

New in version 2.0.0.

Changed in version 4.0.0.

Permanently deletes (purges) the specified Azure key vault.

Parameters:
  • name – The name of the soft-deleted vault.
  • location – The location of the soft-deleted vault.

CLI Example:

azurerm.keyvault.vault.purge_deleted test_name test_location
idem_azurerm.exec.azurerm.keyvault.vault.update_access_policy(hub, ctx, name, resource_group, operation_kind, access_policies, **kwargs)

New in version 2.0.0.

Update access policies in a key vault in the specified subscription.

Parameters:
  • name – The name of the vault.
  • resource_group – The name of the resource group to which the server belongs.
  • operation_kind – Name of the operation. Possible values include: ‘add’, ‘replace’, and ‘remove’.
  • access_policies

    A list of 0 to 16 dictionaries that represent AccessPolicyEntry objects. The AccessPolicyEntry objects represent identities that have access to the key vault. All identities in the list must use the same tenant ID as the key vault’s tenant ID. When createMode is set to “recover”, access policies are not required. Otherwise, access policies are required. Valid parameters are:

    • tenant_id: (Required) The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault.
    • object_id: (Required) The object ID of a user, service principal, or security group in the Azure Active Directory tenant for the vault. The object ID must be unique for the list of access policies.
    • application_id: (Optional) Application ID of the client making request on behalf of a principal.
    • permissions: (Required) A dictionary representing permissions the identity has for keys, secrets, and certifications. Valid parameters include:
      • keys: A list that represents permissions to keys. Possible values include: ‘backup’, ‘create’, ‘decrypt’, ‘delete’, ‘encrypt’, ‘get’, ‘import_enum’, ‘list’, ‘purge’, ‘recover’, ‘restore’, ‘sign’, ‘unwrap_key’, ‘update’, ‘verify’, and ‘wrap_key’.
      • secrets: A list that represents permissions to secrets. Possible values include: ‘backup’, ‘delete’, ‘get’, ‘list’, ‘purge’, ‘recover’, ‘restore’, and ‘set’.
      • certificates: A list that represents permissions to certificates. Possible values include: ‘create’, ‘delete’, ‘deleteissuers’, ‘get’, ‘getissuers’, ‘import_enum’, ‘list’, ‘listissuers’, ‘managecontacts’, ‘manageissuers’, ‘purge’, ‘recover’, ‘setissuers’, and ‘update’.
      • storage: A list that represents permissions to storage accounts. Possible values include: ‘backup’, ‘delete’, ‘deletesas’, ‘get’, ‘getsas’, ‘list’, ‘listsas’, ‘purge’, ‘recover’, ‘regeneratekey’, ‘restore’, ‘set’, ‘setsas’, and ‘update’.

CLI Example:

azurerm.keyvault.vault.update_access_policy test_name test_rg test_kind test_policies